Topic: Howto snort 2.1.1 + Acid

[Crome]

Will this howto work with Snort 2.1.2?

[Crome]

Ok,

A lot of posts on this subject but I'm not sure how to proceed. I've got the following RPMS installed:

snort-mysql-2.1.1-1
snort-2.1.1-1
sme-snort-0.2-2
sme-acid-0.2-1

Now, I've got 2 problems:
- I'm pretty sure only traffic from eth0 is being watched. How do I change this? It isn't very clear from all the verious posts?
- I get the following error from my daily cron job:

/etc/cron.daily/logrotate:

error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log

What shall I do?

[MasterSleepy]

Hello,

Edit the file /etc/logrotate.d/snort
and replace the line
/var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*log

by
/var/log/snort/alert

Regards.

[Crome]

That works indeed. But what about the other problem?

- I'm pretty sure only traffic from eth0 is being watched. How do I change this? It isn't very clear from all the verious posts?

[MasterSleepy]

Hi,

The interface, snort listen on is given by the result of that command :
/sbin/e-smith/db configuration getprop ExternalInterface Name

That is in the script /etc/rc.d/init.d/snortd

You can also have the interface snort listen on by typing ps -ef at command prompt and you should have something like :
snort    24895     1  0 14:00 ?        00:00:02 /usr/sbin/snort -D -i ppp0 -u snort -g snort -c /etc/snort/snort.conf

Here for me it's ppp0.

regards.

[Mark R]

Hi All,

I have installed Snort and Acid ref. Sleepy SME tutorial, should i have a control panel for snort??? acid is workin ok

Thanks

[Crome]

The interface, snort listen on is given by the result of that command :
/sbin/e-smith/db configuration getprop ExternalInterface Name

It returns ppp0 so that's good.

You can also have the interface snort listen on by typing ps -ef at command prompt and you should have something like :
snort    24895     1  0 14:00 ?        00:00:02 /usr/sbin/snort -D -i ppp0 -u snort -g snort -c /etc/snort/snort.conf

Here for me it's ppp0.

For me too so that looks good. The only problem is that when I checked for running processes on snort, no snort daemon was running. I'm guessing something goes wrong when I change IP-address? Is there any logfile I could check to see if snortd is crashing?

I greatly appreciate your help!

[Crome]

I have installed Snort and Acid ref. Sleepy SME tutorial, should i have a control panel for snort??? acid is workin ok

There's no control panel for Snort in the server manager...

[Crome]

I checked out my /etc/snort/snort.conf and I found the following:

Code: [Select]

var HOME_NET [127.0.0.1/1,192.168.0.0/24,192.168.0.0/24,195.144.82.7/1]

var EXTERNAL_NET 195.144.82.7

Is this right? My current IP-address is being assigned to both variables? Where's the logic in this?

[MasterSleepy]

That config file is regenerated when the ip adresse change.
Snort stop when he lost the ip, service will restart after ip has change.

Normally every thing is automatical, normally  

[rexgaylord]

Is there a way to re-create the snort_log.  mysql has poassword set to yes and it didn't get created during install.  I was able to set the user and password in acid_conf.php, but it wasn't there so when I created manually I got an error that it had to be created during the install.  None of the packages will uninstall, so I have to go forward.

[elorenz]

Hi Michael,
I have looked for the sme-snort and sme-acid noarch rpms in your site and can´t find them, only src rpms.
Can you point me to the right spot?
Regards,

[elorenz]

Hi Michael,
I have looked for the sme-snort and sme-acid noarch rpms in your site and can´t find them, only src rpms.
Can you point me to the right spot?
Regards,

Hi Michael,
Thanks for placing the  noarch.rpm's on your sites download area.
I have istalled the packages and it's working fine, but I had to manually expand the snort.conf template before ACID could show the correct sensor count.
Best regards to you and many thanks for your great work,
Ernesto

[Knuddi]

Hi,

I have installed as per:
http://vanhees.homeip.net/index.php?module=ContentExpress&func=display&ceid=19

and see in my messagelog many of these:

Sep  9 13:18:21 gateway snort: database: mysql_error: Warning:  Some non-transactional changed tables couldn't be rolled back SQL=ROLLBACK
Sep  9 13:18:28 gateway snort: database: mysql_error: Can't open file: 'data.MYD'. (errno: 145) SQL=INSERT INTO data (sid,cid,data_payload) VALUES ('1','1804','304C02010004067075626C6963A03F02020E3E0201000201003033300F060B2B060102011903020105010500300F060B2B060102011903050101010500300F060B2B060102011903050102010500')
Sep  9 13:18:28 gateway snort: database: mysql_error: Warning:  Some non-transactional changed tables couldn't be rolled back SQL=ROLLBACK

As if a database entry is missing? Any good suggestions?

[MasterSleepy]

Hello,

Can you check if the database has been created?

Regards.